Sophos has revealed how sha zhu pan scammers—those conducting elaborate, romance-based cryptocurrency fraud—are leveraging a business model similar to cybercrime “as-a-service” by selling sha zhu pan kits on the dark web, globally expanding to new markets.
Sophos details these advanced sha zhu pan operations [also known as pig butchering] in the article, “Cryptocurrency Scams Metastasize into New Forms.” Originating from organized crime gangs in China, the new kits provide the technical components needed to implement a specific pig butchering scheme called “DeFi savings.”
Criminals position DeFi savings scams as passive investment opportunities that are similar to money market accounts, oftentimes to people who have no understanding of crypto. Victims only need to connect their crypto wallet to a “brokerage account,” with the expectation that they will earn significant interest from their investment. In reality, victims are adding their crypto wallets to a fraudulent cryptocurrency trading pool, which the fraudsters then empty.
“When pig butchering first appeared during the time of the COVID pandemic, the technical aspects of the scams were still relatively primitive and required a lot of effort and guidance to successfully scam victims. Now, as the scams have become more successful and the fraudsters have refined their techniques, we’re seeing a similar evolution to what we’ve seen with ransomware and other types of cybercrime in the past: the creation of an as-a-service model. Pig butchering rings are creating ready-made DeFi app kits, which other cybercriminals can purchase on the dark web. As a result, new pig butchering rings that are unaffiliated with Chinese organized crime groups are appearing in areas like Thailand, West Africa, and even the U.S.
As with other types of commercialized cybercrime, these kits lower the entry barriers for cybercriminals interested in pig butchering and vastly expand the victim pool. Last year, pig butchering was already a multi-billion-dollar fraud phenomenon; sadly, the problem is likely only to grow exponentially this year,” said Sean Gallagher, principal threat researcher, at Sophos.
Sophos X-Ops has been tracking the evolution of pig butchering schemes for two years. The earliest iterations—dubbed by Sophos as “CryptoRom” scams—involved connecting with potential victims on dating apps and then convincing them to download fraudulent crypto trading applications from third-party sources. For iOS users, these scams required victims to download an elaborate workaround that allowed scammers to bypass security on victims’ devices and gain access to their wallets.
In 2022, the scammers continued to refine their operations, this time finding ways to bypass App Store review processes to sneak their fraudulent apps into the legitimate App Store and Google Play Store. This was also the year that a new scam pattern emerged: fake cryptocurrency trading pools [liquidity mining].
In 2023, Sophos X-Ops uncovered two vast pig butchering rings—one based out of Hong Kong and one based out of Cambodia. These rings leveraged legitimate crypto trading apps and created elaborate fake personas to lure victims and steal millions from them. Further investigation revealed that pig butchering operators were adding AI to their arsenal.
At the end of 2023, Sophos X-Ops uncovered a vast liquidity mining operation involving three separate Chinese organized crime rings targeting nearly 100 victims. During the investigation into this operation, Sophos X-Ops first noticed the availability of pig butchering scam kits.
In the most recent pig butchering operations that Sophos X-Ops has investigated, the fraudsters have removed any previous technological impediments, as well as significantly lowered the amount of social engineering required to steal from victims. In the DeFi savings schemes, victims now engage in fraudulent crypto trading through legitimate, well-known cryptocurrency apps and give [albeit unknowingly] the scammers direct access to their wallets. In addition, the scammers can conceal the wallet network that launders stolen crypto, making the scams harder for law enforcement to track.
“The DeFi savings scams are the culmination of two years of pig butcherers refining their operations. Gone are the days when scammers had to convince victims to download some strange app or transfer the crypto themselves into a soon-to-be-stolen digital wallet.
“The fraudsters have also learned how to better ‘market’ their schemes. They’re taking advantage of how liquidity mining pools operate to steal the funds by telling victims it’s a simple investment account. This is often an easier sell, especially since most people don’t understand the ins and outs of cryptocurrency trading and everything is done under the guise of trusted brands.
“In other words, it’s never been easier for people to fall victim to pig butchering, which means it’s never been more important to be aware that these scams exist—and know what to look out for,” said Gallagher.
Related Content: Sophos Voted As The Market Leader For 14 Years Running